java-21-openjdk-21.0.5.0.10-3.el8.ML.1

エラータID: AXSA:2024-8941:16

Release date: 
Thursday, October 24, 2024 - 15:55
Subject: 
java-21-openjdk-21.0.5.0.10-3.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The OpenJDK 21 runtime environment.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)
* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)
* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)
* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)
* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-21-openjdk-21.0.5.0.10-3.el8.ML.1.src.rpm
    MD5: ac8fb30bdb9db5beef8271663d87b5c7
    SHA-256: a8263fd32f8ad5e589db5b72b40e250825e22e0a179dc7dac8100d3acbfc6693
    Size: 66.79 MB

Asianux Server 8 for x86_64
  1. java-21-openjdk-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: ef20391b927b3b5c3edccbba46c9465e
    SHA-256: 42fe760f75c2337e1a554ebcc04e817272a52d9cb2801faf2ad68dc75460608f
    Size: 447.19 kB
  2. java-21-openjdk-demo-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: c9ef2f89bc015899ca9e3c1a0318dbfd
    SHA-256: e8927e7fde2ad10edbdb261d84a3adbac9231f15a60f0d12cfb558d9f06a3628
    Size: 3.17 MB
  3. java-21-openjdk-demo-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: af2e53d2b7a0287490a7cab76dcff1d1
    SHA-256: b08502e94be70dc63398f36068b48f6f18206532c35f1e2ee240c4795d51d625
    Size: 3.17 MB
  4. java-21-openjdk-demo-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 7399806b89f655d76306f7df38c5712f
    SHA-256: 1128c09ce4a0da5c34ab05412ca8e2fa915e30fd9858cfc729e3dce6c5eb82c8
    Size: 3.17 MB
  5. java-21-openjdk-devel-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: e6342d8b3dcb89701b5a2342b3c792bd
    SHA-256: e8fa1170daff87ed46bd7e1ddcb44c6694670f38c4bac691b5ca8e503064493d
    Size: 5.16 MB
  6. java-21-openjdk-devel-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: d1f442b3e9c830f1685597bd60ff07ef
    SHA-256: 8aec5f2ca1574beec96bd45ac2bfc2b1e002253090efada8a33d8b3a1bf6e830
    Size: 5.16 MB
  7. java-21-openjdk-devel-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 1ddf383dd3fdd2eaea11a43a4334cf24
    SHA-256: cc3d959b5e6fa136f03dc9dee2a952118ab3f585ce5312960e2f28662ce02525
    Size: 5.17 MB
  8. java-21-openjdk-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 8e3f9d28d15507fd547a03815dc40280
    SHA-256: f5cf4645e5467837c376a4a3261f5072e86743ad357ee4579b657133fbadd2ba
    Size: 456.40 kB
  9. java-21-openjdk-headless-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: c904e017a77684f9f69bf48b08917fbb
    SHA-256: 652b365a1c3f9e286af08a9ab60cdfe88f1ae1cef4fb6561baa9c3ed3a4e9768
    Size: 49.27 MB
  10. java-21-openjdk-headless-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 6b91847f10ab2d6ac0e101fa52f11f2b
    SHA-256: 37a0601710375f2dfeb5ef7e8d556d34afcf05293d103a96f15267571a83f998
    Size: 54.05 MB
  11. java-21-openjdk-headless-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 2858d63ed8eea1e493ba6ca194e296fe
    SHA-256: c48b6d6d470010be08b026513f78329ee6c52bb6492f9d768642e7dd7a10552e
    Size: 53.19 MB
  12. java-21-openjdk-javadoc-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: dc490675c790bab4efe63c605466d43b
    SHA-256: 74a12a9090c66ab80a6fec4052bd38c0d1743118fbc52c2b6d1e0c614644bb42
    Size: 16.40 MB
  13. java-21-openjdk-javadoc-zip-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: df89f3792238bd38f7feea6d629608f1
    SHA-256: 155cb88ce4dae26ab9f3fc23823a635c1c44fdf534eb2410279d0be8dbf91af0
    Size: 41.50 MB
  14. java-21-openjdk-jmods-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: a3510eb7915d1bb9c1f3140575271144
    SHA-256: f0410abfdc5bb74a068baa0eff79b4aa828058844fbbe37200c831e2713ea3c1
    Size: 305.95 MB
  15. java-21-openjdk-jmods-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 8f2593fc1778464a395195f47221d919
    SHA-256: c1a276e051c1a541c27cc8616de98806e3e3a8b3d9d224fb004a513d02fe1257
    Size: 360.93 MB
  16. java-21-openjdk-jmods-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: b1659182105fccbf51e173d6dbf59049
    SHA-256: fc6748c94517556e4d5e3b116ccdf84997961035644cc07ee60524c7d33c5564
    Size: 282.53 MB
  17. java-21-openjdk-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 237036a7585c100503c1ea65cd37f6fe
    SHA-256: 73e60620f0c79196cf9422efd897cdcb43d7d1208e6d717a0d60e80130ebc6ea
    Size: 433.08 kB
  18. java-21-openjdk-src-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 08f47cde7e31630f7d4006f7781d29ae
    SHA-256: a096b141225dac2e8b6b9d6c0d5738f1783dc630457ba9c4f7193804e897e589
    Size: 47.34 MB
  19. java-21-openjdk-src-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 3fc6965fe4f4c0d4d8676913d51d21a8
    SHA-256: 448b41bfbab7551a840a74d767aa9537615e5f15200c7b7255ea58cf5acb158a
    Size: 47.34 MB
  20. java-21-openjdk-src-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: c1c4ba9156f2b3e6e8f8464bf83a9283
    SHA-256: 2ec7f30e13ed426dfb05151a43949592b594b55d7c050f424593ad23e1718482
    Size: 47.34 MB
  21. java-21-openjdk-static-libs-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: d827f3c9257579d0f8df4afe34962870
    SHA-256: f9ebf369895737aba31d22a50e6b53d15fc075d0dc0d5b5e83fbf220d6378dd9
    Size: 30.90 MB
  22. java-21-openjdk-static-libs-fastdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: eb9587f47c929a83c12a4d3a0ed7d2ff
    SHA-256: 561c0d6736b972a0f2f42e09179f998ef3e6d01f588e90c5988bcb90394c7fa1
    Size: 31.03 MB
  23. java-21-openjdk-static-libs-slowdebug-21.0.5.0.10-3.el8.ML.1.x86_64.rpm
    MD5: 0990b9b41716a6f60b08569cecad7f37
    SHA-256: 1859cd73d90fde8ad4eb297bfc8fb98f90cf8cd6f458ef1540ff769898467de0
    Size: 24.35 MB